Davis CoPilot prompt examples
Davis CoPilot can help you analyze data for many different use cases. See the examples below to understand what kind of DQL output you can expect from your prompts.
See the selected pairs to understand what kind of DQL output you can expect from your prompts.
Analyze logs with Davis CoPilot
Prompt
Generated query
Show me all logs
fetch logs
Show me all log lines from the last 6 hours
fetch logs, from:now() - 6h
Show me the maximum number of logs ingested per hour for each loglevel and each host
fetch logs| makeTimeseries by:{loglevel, host = dt.entity.host}, interval:1h, count = count()| summarize by:{loglevel, host}, max_count = max(arrayMax(count))
Compare the number of error logs from today with yesterday
fetch logs, from:bin(now(), 24h)| filter loglevel == "ERROR"| summarize todayErrorCount = count()| append[fetch logs, from:bin(now(), 24h) - 24h, to:bin(now(), 24h)| filter loglevel == "ERROR"| summarize yesterdayErrorCount = count()]
Show me all error logs over the last day with a granularity of one hour
fetch logs, from:now() - 24h| filter loglevel == "ERROR"| makeTimeseries interval:1h, count = count()
Show me the 5 log sources with the highest volume
fetch logs| summarize by:{log.source}, log_count = count()| sort log_count desc| limit 5
Show me the most recurring log lines and add a column with the log source and AWS region
fetch logs| summarize by:{content, log.source, aws.region}, count = count()| sort count desc
Summarize slow database queries from logs
fetch logs, from:now() - 48h| filter contains(content, "slow") AND contains(content, "database")| summarize by:{loglevel, content}, count = count()
What is causing the most error log lines?
fetch logs, from:now() - 2h| filter loglevel == "ERROR"| summarize by:{log.source}, errorCount = count()| sort errorCount desc| limit 1
Analyze events with Davis CoPilot
Prompt
Generated query
Return all events from the last three hours
fetch events, from:now() - 3h
How many service slowdown events occurred yesterday?
fetch dt.davis.events.snapshots, from:bin(now(), 24h) - 24h, to:bin(now(), 24h)| filter event.type == "SERVICE_SLOWDOWN"| summarize slowdown_count = count()
Analyze business events with Davis CoPilot
Prompt
Generated query
Show all business events during business hours grouped by type and category
fetch bizevents| fieldsAdd day_of_week = getDayOfWeek(timestamp), hour_of_day = formatTimestamp(timestamp, format:"HH")| filter day_of_week >= 1 AND day_of_week <= 5 AND hour_of_day >= 9 AND hour_of_day <= 17| summarize by:{event.type, event.category}, count()
Analyze Davis events with Davis CoPilot
Prompt
Generated query
Compare the number of Davis events day-by-day for the last week
fetch dt.davis.events.snapshots, from:now() - 168h, to:now()| summarize by:{bin(timestamp, 24h)}, dailyEventCount = count()
Summarize how many and which categories of Davis events occurred
fetch dt.davis.events, from:-48h| summarize by:{event.category}, event_count = count()
Analyze spans with Davis CoPilot
Prompt
Generated query
Show me the average database response time broken down by host and database
fetch spans| filter span.kind == "client" AND isNotNull(db.system) AND isNotNull(server.address) AND isNotNull(db.namespace)| summarize by:{host = server.address, database = db.namespace}, avg_duration = avg(duration)
Analyze metrics with Davis CoPilot
Prompt
Generated query
Show the three most important metrics for host HOST-12ABC
timeseries by:{dt.entity.host}, filter:dt.entity.host == "HOST-12ABC", {availability = avg(dt.host.availability), uptime = avg(dt.host.uptime), cpu_usage = avg(dt.host.cpu.usage)}| fieldsAdd avg_availability = arrayAvg(availability), avg_uptime = arrayAvg(uptime), avg_cpu_usage = arrayAvg(cpu_usage)| sort avg_availability desc, avg_uptime desc, avg_cpu_usage desc| limit 3
Show each lambda function's execution time as metric timeseries
timeseries by:{dt.entity.aws_lambda_function}, avg_execution_time = avg(dt.cloud.aws.lambda.duration)
Compare last 24 hours' CPU usage with the corresponding timeframe from one week ago
timeseries from:now() - 24h, to:now(), cpu_usage_last_24h = avg(dt.host.cpu.usage)| append [timeseries from:now() - 168h - 24h, to:now() - 168h, cpu_usage_last_week = avg(dt.host.cpu.usage)]
Show me the top ten processes with respect to memory consumption and the host they are running on
timeseries by:{dt.entity.process_group_instance, dt.entity.host}, maxMemory = max(dt.process.memory.working_set_size)| summarize by:{dt.entity.process_group_instance, dt.entity.host}, maxMemory = max(maxMemory)| sort maxMemory desc| limit 10| lookup [fetch dt.entity.host], sourceField:dt.entity.host, lookupField:id, fields:{entity.name}
Analyze entities with Davis CoPilot
Prompt
Generated query
Show me the top lambda function with respect to code size
fetch dt.entity.aws_lambda_function| sort awsCodeSize desc| fieldsKeep awsCodeSize, entity.name| limit 1
Show me the most tagged host groups
fetch dt.entity.host_group| fieldsAdd tags| expand tags| summarize by:{entity.name}, tag_count = count()| sort tag_count desc| limit 10
How many Azure VMs do we have compared to ec2 instances?
fetch dt.entity.azure_vm| summarize azure_vm_count = count()| append[fetch dt.entity.ec2_instance| summarize ec2_instance_count = count()]
Show me the 5 shortest lived Kubernetes services
fetch dt.entity.kubernetes_service| fieldsAdd id, entity.name, lifetime| fieldsAdd duration = toDuration(lifetime)| sort duration| limit 5
How many AWS lambda functions are deployed?
fetch dt.entity.aws_lambda_function| summarize deployed_functions = count()